OS X plain text password flaw has been around for 3 months and counting

An errant debug switch in 10.7.3 could expose encrypted data for some Mac users.

A security flaw in the most recent version of OS X Lion, 10.7.3, can allow anyone with access to system logs to gather passwords to decrypt legacy FileVault home directories or access remote home directories of networked users. Though the flaw was first discovered a whopping three months ago, it has been widely publicized after a security researcher posted details of the flaw to a cryptography mailing list on Friday.

While only users with admin or root access could access the passwords stored as plain text in the log files, it's possible that malware could be created to look into the file for any passwords in order to access personal data.

The security implications are even worse, though, according to security researcher David Emery. "The [system] log in question can also be read by booting the machine into firewire disk mode and reading it by opening the drive as a disk or by booting the new-with-Lion recovery partition and using the available superuser shell to mount the main file system partition and read the file," he wrote to the cryptography e-mail list on Friday. "This would allow someone to break into encrypted partitions on machines they did not have any idea of any login passwords for."

A process called "HomeDirMounter" is used by "authorizationhost" on OS X to mount remote home directories stored on a networked server, commonly in enterprise environments like offices or schools. This process accesses the remote directory and mounts it to a local computer as if it existed locally on the main boot volume. This same process mounts encrypted FileVault home directories created with earlier versions of OS X, which are stored in a separate, encrypted virtual volume (or sparse bundle).

In OS X 10.7.3, HomeDirMounter logs information that appears to have been used for debugging during development of the 10.7.3 update. Among the information it stores in var/logs/secure.log is the password used to mount a home directory, in clear text, anytime a remote or FileVault home directory is mounted.

Thankfully, passwords for standard local users aren't logged. However, users relying on the older FileVault could potentially have their encrypted data exposed to anyone with admin or root access to their machine.

The same vulnerability puts network users at risk—any user with admin privileges could potentially access the secure.log file and grab passwords for other users on the network that have recently used the same machine.

The flaw appears to have first been reported by a German systems administrator who posted about it to Apple's support forums in February. His post went unanswered until this weekend, however, when Emery's detail of the flaw was widely circulated.

No one from Apple appears to have acknowledged the flaw as of yet, but Paul Hazelden, a system administrator working in an education environment, claims in a post on Novell's support forums that betas of the next version of OS X, 10.7.4, do not exhibit the password logging problem. (Hazelden's school uses a Novell authentication service called Kanaka, which is indirectly affected by the same password logging bug.) It's also worth noting that the flaw is not present in OS X 10.7.2.

Until Apple releases the update to OS X, the only workaround appears to be running periodic scripts which purge the debug lines from secure.log. Alternately, local FileVault users can be protected somewhat from external hacks by using FileVault2, which encrypts the entire boot volume instead of just individual home directories.